With 252 days until the biggest change to the data protection regime in the EU since the 1995 Data Protection Directive comes into force, many firms operating in Europe are just starting to get ready or still trying to understand the gaps they need to address to comply with the General Data Protection Regulation (GDPR).
The GDPR represents a substantial overhaul of data protection legislation: the accountability principle will mean firms will need to examine how they hold and use data and take steps to demonstrate compliance with the data protection principles; implied consent is no longer going to be acceptable, nor will opt outs; the heavily publicised right to be forgotten will become a reality; and fines for breaches will be significantly higher - up to 20 million euros or 4% of global annual turnover, whichever is greater.
With so much information to digest and with only eight months left to prepare, Eze Castle Integration’s Chief Compliance & Security Officer, Bill Tan, and Director of Service, Simon Eyre, hosted a webinar to walk through the preparations required for GDPR as well as the implications & preparations for EU-based firms.
Categorized under: Hedge Fund Regulation
When September rolls around, Apple users await the annual release of the newest Apple products. This year was something special. It has been 10 years since the first ever iPhone came out! The original iPhone ran on OS X, lacked 3G (meaning you could only get online when connected to Wi-Fi), and didn’t include an App store. All in all, it's pretty remarkable to see how far Apple has come since 2007. But before we get to the new iPhones (yes, plural!), let's take a look at some of Apple's other exciting announcements.
Watch Series 3
Apple Watch has just recently surpassed Rolex and is now the #1 watch in the world. And for the first time ever, Apple Watch now has cellular built in. This means you can have the freedom to go anywhere with just your watch – no iPhone necessary! When the iPhone is left behind, your Apple Watch will allow you to make and receive phone calls and send text messages from your same phone number. You will be able to utilize the maps function, plus 'Find My Friends' will update your location based on where you and your watch are. Cellular and Apple Music allows users to stream up to 40 million songs. The new Watch is swimproof, 70% faster, allows for up to 18 hours of battery life and comes in a variety of new bands and colors.
With hurricane season fully upon us and Irma bearing down on Florida, firms must ask "Would my firm be ready if there were an emergency today?" and "Would your employees know what to do?" September is National Preparedness Month (NPM) which is sponsored by the Department of Homeland Security and FEMA’s The Ready Campaign in an effort to increase awareness for individuals, businesses, families and communities. NPM aims to encourage the public to make preparedness a part of their daily lives and stresses the importance of being ready for the unknown.
Why should you focus on being prepared?
By teaching your employees why to prepare, your firm will not only demonstrate its importance, but employees will also maintain this knowledge and expertise that will help keep the business operational. Preparation can mean the difference between a successful and failed recovery, both personally and professionally. Educating your employees on what they’ll need at home, where to go, who to contact, etc. will equip them with the right information they’ll require at the time of an incident. With the proper information readily available, employees can focus on helping resume business operations more quickly.
Below is an excerpt from our whitepaper, 'Cybersecurity for Private Equity'. Click here to download the full whitepaper.
As private equity firms become more dependent on outsourcing and adopt new technologies to support operations, the number of threats they expose themselves to increases exponentially. It can be a daunting task to stay on top of the new and evolving risks at hand, but meticulous attention needs to be employed to mitigate these ongoing threats.
Today’s hackers and cyber criminals are not only targeting IT systems, but humans as well. Attacks vary in target, size and motive, but all pose serious risks to your firm’s wellbeing, thus it’s vital to be aware of common threat types targeting your firm and the broader private equity community. Here are a few to be mindful of:
In addition to taking advantage of human errors and naiveté, today’s hackers are also incredibly successful at identifying gaps in technology that can lead them to profit (monetary or otherwise). One of these most critical gaps is a lack of adequate and timely patch management.
Software vulnerabilities have turned heads in 2017 with news-making ransomware outbreaks such as WannaCry and Petya calling attention to outdated patches and legacy technology. First, hackers look for an entry point: often a phishing email or other social engineering scheme intended to fool users into leaving a gateway open. Once inside a firm’s network, there’s no telling the damage a hacker can do, but we’re witnessing increased activity and success in exploiting these security holes caused by inadequate patching.
What can firms do to address this security gap? Unfortunately, the problem of patch management cannot be resolved with one click of a button. Successful and ongoing management and monitoring of security patches requires a diligent effort – and one that cannot be 100% automated. Regardless of size, most firms do not have the internal resources required to manage frequent patch roll-outs, particularly for firms leveraging a host of third-party applications.
To sustain the highest levels of resiliency and prevent software vulnerabilities from causing harm on their own or at the hands of malicious hackers, firms should look to implement a patch management service. Companies – such as Eze Castle Integration! – can provide fully managed patch services to ensure software and firmware remain up-to-date and are proactively monitored to prevent security bugs and malicious exploits, reducing overall firm risk. This means seasoned IT experts are keeping pace with a constantly changing threat landscape, enforcing consistent IT policies to eliminate weak links and reducing overhead so your IT resources can focus on more complex tasks.
Hackers are tricky. And one common phishing attack trick is registering domain names similar to those of the targeted organizations with the goal of capitalizing on typos or fast readers. It is a modern day sleight of hand.
Here’s an example. You search for West Hamilton Capital and www.westhamiltoncaptal.com pops up. If the phishing site looks similar to the real website, there is a good chance a visitor could be fooled. Additionally, the domain can be used in phishing email scams.
That is why it is important for firms to keep an eye on their company’s domain name variations. Some firms may even wish to proactively register variants or block similar domains to reduce the risk of them being used in social engineering scams against employees.
How Do Firms Monitor Domain Registrations?
DNStwist is a domain name permutation engine for detecting typo squatting, phishing and corporate espionage. Another option is the domain name permutation service, DNStwister, which generates a list of domain names that are similar to the one that is inserted, checking to see if any of them are registered.
According to the DNStwister website, you can subscribe to receive alerts if a new domain is registered like yours, if an existing domain has changed IP address or has even been unregistered.
Here’s a sample DNStwister report for the fictitious West Hamilton Capital.
This article appeared in its entirety in HFMWeek Magazine in August 2017. Part 2 is featured below. Read Part 1 HERE.
Our two-part feature covers 10 common security gaps as well as actional advise on how to avoid them. In Part 1 we covered vulnerability assessments, patch management, social enginnering, risk management and IT asset management. Now on to Part 2.
Business Continuity Planning
Business continuity planning (BCP) seems like a no-brainer in this day and age, but unfortunately, many firms still miss the mark as it relates to their security posture and preparedness. Some BCP gaps commonly identified during the risk assessment process include:
No business continuity or recovery plan in place
BCP hasn’t been updated within a year
Plan does not take a risk-based approach or deal with specific risk scenarios unique to the firm
A plan exists on paper, but employees have not been educated or trained on it
The above examples highlight critical gaps in business operations that could lead to significant repercussions in the event of a security incident. Beyond dealing with the technical aftermath of a cyber-breach, asset management firms must have continuity plans documented for the recovery of their business operations – including communication to internal and external parties, employee roles and responsibilities and prioritisation of business functions.
Categorized under: Security
The most vital asset of a business is their data, and protecting your data is becoming more and more challenging. In our recent blog, Is Your Data Dirty? Data Hygiene Best Practices for Financial Services, we talk about securing your data and eliminating data that is no longer of appropriate use for your company. In doing so, you can help safeguard your firm.
“Dirty data” can include forgotten data, old reports, archived emails, and more. Duplicate data is similar to that of forgotten data because it is sometimes unknown that the copy exists. Not having a firm handle on the data within your organization can increase storage costs, complicate IT environments and ultimately make your firm vulnerability to cybersecurity events.
Beyond Internal Data Hygiene
Going beyond understanding where your sensitive data lives and practicing good internal data hygiene, firms need to understand where it is overexposed, how it is being accessed and how to protect it.
To help clients take control of their data, we encourage firms to take advantage of file auditing tools such as Varonis’ DatAdvantage, which provide insight into when and by whom corporate files are opened, edited or shared. DatAdvantage, which is included with our Eze Cloud Solutions, also aids in identifying stale (i.e. dirty) data that is no longer accessed by actual humans.
Additional benefits of DatAdvantage include:
Monitoring All Real-Time Access: Varonis monitors every open, create, delete, and move event, every email sent and received that any individual generates. You see who accessed data, the action they performed, the name and type of the accessed file or email, the folder the file is stored in or moved to, and when.
What is the GDPR and Who is Affected?
The General Data Protection Regulation (GDPR) was adopted and approved by the EU parliament in April 2016 and will supersede the UK’s Data Protection Act 1998.
The GDPR directive will come into force Friday 25th May 2018, and will apply to organisations located within the European Union (EU) but also to organisations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.
The main intent of the GDPR directive is to give individuals more control over their personal data, impose stricter rules to companies handling it, and make sure companies embrace new technology to process the influx of data produced.
From 25th May 2018, penalties for failing to abide by the GDPR’s principles will lead to fines of up to 20 million euros or 4% of global annual turnover, whichever is greater. It is important to note that these rules apply to both controllers and processors -- meaning 'clouds' will not be exempt from GDPR enforcement.
Since 2014, the Securities and Exchange Commission (SEC) has made it clear that cybersecurity risk is a top priority, and now via their second round of examinations, the regulator has issued key observations to educate and inform financial firms and investment advisers of their growing expectations.
And while the SEC noted that, overall, firms demonstrated more preparedness than their first round of exams in 2014, gaps remain within cybersecurity programs, notably around employee training, patch management and vulnerability assessments.
Following are noteworthy takeaways from the SEC’s cyber exam sweep observations:
Cybersecurity Gaps Observed:
Many firms’ policies & procedures were considered too vague or generic and failed to include specific safeguard examples or implementation procedures.
The SEC observed a failure by firms to ensure employees complete annual information security training as well as a failure to take action with employees who did not comply with said requirements.
Unlike broker-dealers, the majority of advisers do not have incident response plans in place, which include plans for notifying customers and counterparties of breaches.